Yes, you too. Please post your password… it’s not a big deal.
It’s obvious that the admin/owner here either doesn’t understand (bad) or doesn’t care (worse) about security.
SSL is free, takes little to zero effort to do. I’ve personally deploy Lets Encrypt across more than a dozen websites running various server configurations from Apache to Nginx and even Microsoft IIS.
I guess we can’t be all that surprised, looking at the site - it’s running Durpal 7 which is 8 year old software. The owner can’t be bothered to not only apply a simple SSL but can’t even be bothered to software up-to-date.
Those that are saying this isn’t a big deal, you clearly don’t understand the purpose of it. Sure THIS site is a flashlight forum, but there is still sensitive data on here that not every member wants to be shared publicly such as email and passwords… all of which is passed in the clear over HTTP.
Again, this is an easy and FREE layer of security that has no good reason not to apply it.
Further, search engines give higher ranking to sites that do use HTTPS. So not only is deploying an SSL good for the users and site owner, but the site also benefits from it from search engines.
I have to admit I used a separate email address and different password for this forum. If somewhere would compromise that data it wouldn’t hurt me at all (no content in that inbox) although I wouldn’t want it to happen (I don’t think it will happen). If someone would use a personal/important address or an easy password it might be another issue? so far I have not heard of any issues on here.
From what I gather there is one person providing us a free of charge, place to talk about flashlights and other closely related topics. From the amount of advertising on this site I would assume not much money is being brought in by that advertising and that the man running the show probably puts out more time and money in keeping it up and running than is being brought in from said advertising. There is one absolute way to ease all of your concerns about the security you seek. Don’t use the site.
In this day and age it is not someone else’s responsibility to make sure you are feeling all safe and warm. That is your responsibility. If you feel you aren’t safe, change your circumstance. You may have gotten a warmer reception to this topic by PM’ing the admin and taking it up with him privately. You chose a different route so now you get to hear everyone else’s opinions. So enjoy. Good day to ya.
Okay, let’s go with that. The site doesn’t make much money. No problem… again SSL can be had for FREE. It doesn’t get much cheaper than that.
I’m not looking for “warm reception”, I’m looking for a site owner to make the right decision and take steps to protect the data we submit here, such as our email and password.
In this case it IS someone else’s responsibility to make this site secure… not me. In fact I’ve offered to assist if the owner is unfamiliar. Exactly what more can a regular user do?
This is blatant misinformation and pure FUD. Here's the most recent Drupal 7 security patch from October 17 (4 days ago), which I applied on that very same day within hours of its release, as I have for every single other security update released during the past 8+ years of administering BLF:
Drupal 7 is fully supported still, with both security and feature / bug fixes.
In short, @79ford, if you feel insecure by using BLF despite all the above facts, or if you insist on spreading false information, I suggest you stop using it.
This is flat out wrong. You don’t run SSL on this server yet somehow you know it’s going to cripple your server? SSL adds little to no resources, in fact with the use of features such as HTTP/2 (most up-to-date webservers support this) the load on a web server is actually LESS.
At no time have I said SSL makes your website 100% hack proof… nothing does. It adds another layer of protection. Security has always been about layers. There is no one silver bullet that stops everything. Pretending SSL doesn’t provide security is silly.
To think no one ever does this, or that it’s “not common” is completely wrong. In fact there are serveral applications, add-ons and hardware that assist people in doing this. Browser add-ons like Firesheep - Wikipedia or hardware like the Pineapple https://shop.hak5.org/products/wifi-pineapple.
The benefits of SSL are obvious. The users (and the site) benefit from the EXTRA security, the site benefits from less load on the server and better search engine rankings. It’s a win win.
This what I do. My LastPass master password is in a hidden file on my Macs. I open the file and then copy and paste the LastPass master password to log into to LastPass. Then I use LastPass to log into my websites. No online typing involved. Every website has a different long complicated password. If somehow someone figures out my BLF password, ( I say next to impossible unless BLF somehow gets hacked,) all my other websites are still protected
After 6 years of not posting on BudgetLightForum (that doesn’t mean you were not active or logged in!!) you post again and to talk about the security and not about the gazillions of beautiful, futuristic, incredible, bright, [insert more qualifying adjectives] …FLASHLIGHTS that have been produced during all these years???
No can do that’s almost heresy !! :smiling_imp:
I trust SB’s maintenance and structure! :arrow_right:
Wut? HTTP/2 and TLS are entirely separate issues. HTTP/2 works with or without encryption.
And, I’m sorry, but whatever you’re smoking, I want some. You actually believe that encrypting all the traffic plus the overhead of key exchange and protocol negotiation actually takes less CPU than not encrypting? Is that why crypto coprocessors and SSL offloading are so popular, because encryption is free?
As far as I can tell, blf runs on lunanode. If the node size it’s currently running on is nearly maxed out, you’re out of your mind if you think adding encryption is going to reduce CPU load. And upgrading costs money.
Hmmmm !
It’s a flashlight forum …
Why would you be concerned about the FEDS / Interpol / your ISP on BLF ?
Or even some hacker ?
There going to find out about your latest flashlight ? and rat you out to your spouse ?
Online banking , online shopping , Feebay , and so forth . Yes HTTPS is important .
On BLF , ?/ exactly what is the nature of the threat ? / fear ?
Separate but very much related. While HTTP/2 can work with HTTP most browsers DON’T support it in that method and only support HTTP/2 while using HTTPS.
“Although the standard itself does not require usage of encryption,[28] all major client implementations (Firefox,[29] Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.” - HTTP/2 - Wikipedia
“Does HTTP/2 require encryption?…However, some implementations have stated that they will only support HTTP/2 when it is used over an encrypted connection, and currently no browser supports HTTP/2 unencrypted” - HTTP/2 Frequently Asked Questions
“With just a simple change to the server configuration, the website performs noticeably better over HTTP/2 than HTTP/1.1. The page load time dropped by over 13% thanks to fewer TCP connections, resulting in a lower time to first byte” - 2018 – Pingdom Year in Review - Pingdom
That’s a great question and one I see from many people. It’s just a flash light forum, or it’s just a personal blog, or it’s just a website about turtles… who cares.
So while some people would like for you to believe it’s very uncommon for anyone to be snooping data connections. This is absolutely the case. In fact many people do so at public wifi spots, many companies security devices do just that, all potentially leaking your username and password.
Even though some here in this thread have said SSL is no big deal… not one of them has posted their password.
Leaking of passwords is bad for obvious reasons. One of which is while some here are using password managers (kudo’s by the way!!) many people don’t and many re-use passwords. So while you’re connected to the internet and someone is snooping over that traffic (and they do, believe it or not) then that password gets out. So while it may be a flashlight forum password, for some it might just be their ebay, amazon, and bank password too.
Password sniffing is just the start of it. Without SSL, it’s much easier to intercept your web traffic and inject malicious code such as malware or cryptominer software or redirect it to another page entirely.
SSL isn’t a silver bullet that will fix ever security issue, no one has said that. It’s about layers. Just like your house, you don’t just put up a door and call it a day. You probably install a lock too don’t you? You probably even lock that lock right? I’m willing to bet you might even have a flashlight near by so when there is a noise in the night you can make light day and see what’s going on?
Layers.
The same goes for websites. SSL adds very little to a server load and if done correctly (like HTTP/2) then it can actually greatly improve the site performance. The owner could also use a free service like Cloudflare to provide the HTTPS (zero impact on the server at that point) and allows for even more features such as content delivery network, DDoS protection and more. Again all for FREE.
Hey, Mr. 13 posts, it might surprise you that SBD knows his SSH (IT) and doesn’t need a lecture from a know-nothing.
And is the one providing this fabulous resource to all of us (I don’t know quite how, maybe he’ll tell me one day in a PM).
Don’t knock stuff that you just don’t understand.
And be aware that everything could just be switched-off, all history erased, in a blink, (apart from the Wayback Machine) without very dedicated support from a good person.
I use long, untypable, generated passwords for everything, stored in keepass (I use keepassxc and keepass2android). Then in browsers, I use the keepasstusk plugin to fill in login forms.
My encrypted keepass database is currently stored on dropbox, but that will transition to syncthing soon, since dropbox will likely drop linux support, and I don’t want to depend on them.
Probably why you use different passwords for different levels of security …
Soft passwords for soft sites , and as the need increases so does the password .
Probably a great reminder for me to consolidate and change passwords for various sites across the net .
Pays to do it from time to time .
